Jeff,
again done them in Safe Mode…
Attached the logs…
Hi willo.c,
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
c:\windows\system32\Smab0.dll
c:\windows\system32\VistaUltm.dll
scroll down a bit and click “send file”, wait for the results and attach them in your next reply.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
Jeff,
i’m going to do the next step in 40 minutes…
That is fine. No hurry.
I analysed the files, but i did not find the button -send file-, so…
SHA256: d4ceed9eeecab9ec14b0bbe3bff53285719295d2c6ba235496c7526890b0a6d2
File name: Smab0.dll
Detection ratio: 2 / 42
Analysis date: 2012-03-27 13:21:35 UTC ( 1 settimana ago )
0
0
Antivirus Result Update
AhnLab-V3 - 20120326
AntiVir - 20120327
Antiy-AVL - 20120327
Avast - 20120327
AVG - 20120327
BitDefender - 20120327
ByteHero - 20120327
CAT-QuickHeal - 20120327
ClamAV PUA.Packed.PECompact-1 20120327
Commtouch - 20120327
Comodo - 20120327
DrWeb - 20120327
Emsisoft - 20120327
eSafe Suspicious File 20120326
eTrust-Vet - 20120327
F-Prot - 20120327
F-Secure - 20120327
Fortinet - 20120327
GData - 20120327
Ikarus - 20120327
Jiangmin - 20120326
K7AntiVirus - 20120326
Kaspersky - 20120327
McAfee - 20120327
McAfee-GW-Edition - 20120327
Microsoft - 20120327
NOD32 - 20120327
Norman - 20120327
nProtect - 20120327
Panda - 20120327
PCTools - 20120326
Rising - 20120327
Sophos - 20120327
SUPERAntiSpyware - 20120323
Symantec - 20120327
TheHacker - 20120326
TrendMicro - 20120327
TrendMicro-HouseCall - 20120327
VBA32 - 20120327
VIPRE - 20120327
ViRobot - 20120327
VirusBuster - 20120323
SHA256: 87f87804767a255f95873b59f5a841e47dc749d84679b018328eb86109b85715
File name: vistaultm.dll
Detection ratio: 3 / 43
Analysis date: 2012-03-25 10:02:11 UTC ( 1 settimana, 2 giorni ago )
0
0
Antivirus Result Update
AhnLab-V3 - 20120324
AntiVir - 20120323
Antiy-AVL - 20120325
Avast - 20120325
AVG - 20120325
BitDefender - 20120325
ByteHero - 20120319
CAT-QuickHeal - 20120324
ClamAV PUA.Packed.PECompact-1 20120325
Commtouch - 20120325
Comodo - 20120325
DrWeb - 20120325
Emsisoft - 20120325
eSafe Suspicious File 20120322
eTrust-Vet - 20120323
F-Prot - 20120325
F-Secure - 20120325
Fortinet - 20120324
GData - 20120325
Ikarus - 20120325
Jiangmin - 20120324
K7AntiVirus - 20120323
Kaspersky - 20120325
McAfee - 20120325
McAfee-GW-Edition - 20120324
Microsoft - 20120325
NOD32 - 20120325
Norman - 20120324
nProtect - 20120325
Panda - 20120325
PCTools - 20120323
Prevx - 20120325
Rising - 20120323
Sophos - 20120325
SUPERAntiSpyware Trojan.Agent/Gen-StartPage 20120323
Symantec - 20120325
TheHacker - 20120324
TrendMicro - 20120325
TrendMicro-HouseCall - 20120325
VBA32 - 20120323
VIPRE - 20120325
ViRobot - 20120324
VirusBuster - 20120323
Tell me if it is enought…
In the waiting time, you could have a look on my problem… 
(“Having fun with…”) It seems like I have quite a lot in common with this thread… (well no more waiting time here… damn…)
Additional info… 
Hi,
Thanks for getting those for me. Are you still using ZoneAlarm as your firewall by chance?
[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21173:TCP"=-
"21173:UDP"=-
"11578:TCP"=-
"11578:UDP"=-
[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
Here the new Combofix log.
[list]Hi,
Are you still using ZoneAlarm as your firewall by chance?----------
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
ESET Online Scanner
I’d like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.
[]Do not use this instance of your browser for anything besides doing this scan
[]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.
[]Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
[]Click the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png
button.
[]For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
[*]Click on
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png
to download the ESET Smart Installer. Save it to your desktop.
[]Double click on the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png
icon on your desktop.
[*]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
[*]Click the Start button.
[]Accept any security warnings from your browser.
[]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
[*]Make sure that the option “Remove found threats” is Unchecked
[*]Push the Start button.
[]ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
[]When the scan completes, push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
[*]Push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png
, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
[*]Push the Back button.
[*]Push Finish
http://www.eset.com/onlinescan/
In your next reply please attach the logs made by Malwarebytes and ESET online scanner.
Jeff,
Remember the process services.exe is still running and it takes almost all my cpu, at least in Normal mode.
In safe mode i cannot disable completly my antivirus… And it is always difficult to run something…
I try to do the steps you kindly suggest me…
I keep you informed…
Jeff…
Here the log of the last scan…
I have not finished the ESET Online Scan (50%), i will rescan my computer tomorrow…
Anyway i attached the results…
i will rescan my computer tomorrow..Ok let me know. :)
Jeff,
finally we have a Eset log… It is attached…
In the previous post you can find the Malwarebytes log…
Are we close to the solution?? 
Thanks
Hi,
[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:
File::
C:\Documents and Settings\Willy\My Documents\Download\SoftonicDownloader76569.exe
C:\Documents and Settings\Willy\My Documents\Download\Windows-Media-Player-Firefox-Plugin-1-0-0-8-Italian.exe
C:\Documents and Settings\Willy\My Documents\Programmi LEP\Nero.v.8.1.1.0 .exe
[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
In your next reply please attach the new ComboFix log and let me know how things are running now?
Here the new Combofix log…
There still is the process Services.exe that take the 90% of my CPU… This is the only problem, i think…
Jeff,
Any other suggestions to stop this process?
Hi,
Let’s get a fresh scan and try to see what is using all that…
Run a new scan with OTL
In Custom Scans/Fixes put the following:
netsvcs
Press the Run Scan button and attach the logs created.
Here the OTL log done in Safe Mode, because i can-t go to an end in Normal mode…
Consider that services.exe take 50-60 % of CPU in Safe Mode, and 85-95% in Normal mode…
In your opinion, do I have to format C?
I am not sure about formatting yet.
You never mentioned whether or not you are still using ZoneAlarm. In my experience that can be quite a resource hog.